Home > Vulnerability Database > CVE-2025-23048

Mend.io Vulnerability Database

CVE-2025-23048

Good to know:

Date: July 10, 2025

In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.

Severity Score

9.1

Related Resources (5)

Url: https://security-tracker.debian.org/tracker/CVE-2025-23048

Url: https://security.alpinelinux.org/vuln/CVE-2025-23048

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-23048

Url: https://httpd.apache.org/security/vulnerabilities_24.html

Url: https://www.mend.io/vulnerability-database/CVE-2025-23048

Severity Score

9.1

Weakness Type (CWE)

Improper Access Control

CWE-284

Top Fix

Upgrade Version

Upgrade to version https://github.com/apache/httpd.git - 2.4.64

Learn More

CVSS v3.1

Base Score:	9.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-23048

Good to know:

Date: July 10, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?